Sherlocked Security – Malware Reverse Engineering

Analyze and Deconstruct Malicious Code to Understand Behavior, Intent, and Indicators of Compromise (IOCs)

1. Statement of Work (SOW)

Service Name: Malware Reverse Engineering (RE)
Client Type: SOC Teams, CERTs, MSSPs, Defense Contractors, Law Enforcement
Service Model: Static & Dynamic Malware Analysis with Threat Attribution and IOC Extraction
Compliance Coverage: NIST 800-61, ISO/IEC 27035, MITRE ATT&CK, Cyber Kill Chain

Analysis Types:

Static Binary Analysis (PE/ELF/DEX/APK)
Dynamic Execution & Behavior Profiling
Code Deobfuscation and Unpacking
Network, Persistence, and Registry Analysis
Family Classification and Signature Generation

2. Our Approach

[Malware Triage] → [Static Inspection] → [Dynamic Sandbox Execution] → [Code Disassembly & Decryption] → [Behavioral Profiling] → [IOC Extraction] → [Reporting & Threat Mapping]

3. Methodology

[Sample Validation & Triage] → [Hashing & Environment Isolation] → [Static Inspection (Headers, Strings)] → [Dynamic Execution in Sandbox] → [Behavioral & Registry Monitoring] → [Code-Level Analysis (Disassembly/Decompilation)] → [IOC and MITRE Mapping]

4. Deliverables to the Client

Technical Malware Analysis Report
Hashes (MD5, SHA1, SHA256) and File Metadata
Identified IOCs: Domains, IPs, Registry Keys, Mutexes, C2s
Behavioral Summary (Process Tree, File System, API Calls)
Deobfuscated or Decompiled Code (when applicable)
Malware Family and Threat Actor Attribution (if known)
YARA/ClamAV Signatures and Snort/Suricata Rules
MITRE ATT&CK and Kill Chain Mapping
Recommendations for Detection, Containment, and Response

5. What We Need from You (Client Requirements)

Sample(s) of the suspected malware (binary, script, or doc)
Execution context or infection vector (e.g., phishing email, USB, drive-by)
Affected environment OS and application versions
Existing EDR/AV detections or telemetry (optional)
Required depth: basic triage vs in-depth RE
NDA and scope sign-off

6. Tools & Technology Stack

Static Analysis: PEStudio, Detect It Easy (DIE), binwalk
Disassemblers: IDA Pro, Ghidra, Radare2
Debuggers: x64dbg, WinDbg, Immunity Debugger
Sandboxes: Cuckoo Sandbox, Any.Run, CAPEv2
Memory Analysis: Volatility, Rekall
Obfuscation/Unpacking: UPX, Uncompyle6, Apktool, Dex2Jar
IOC Extraction: IOCe, YARA, Hybrid Analysis, VirusTotal
Network: Wireshark, Fakenet-NG, Burp Suite (for HTTP/HTTPS C2)
VM Infrastructure: FLARE VM, REMnux, INetSim, QEMU

7. Engagement Lifecycle

1. Scope & Sample Intake → 2. Static Analysis Phase → 3. Sandbox Execution & Behavior Logging → 4. Disassembly & Debugging → 5. IOC Extraction & Signature Development → 6. Report Generation & Threat Mapping → 7. Response Advisory

8. Why Sherlocked Security?

Feature	Sherlocked Advantage
Deep Static & Dynamic RE	Combines binary inspection, behavior profiling, and code-level RE
Malware Family Classification	Identifies malware lineage and known threat actor TTPs
IOC & Signature Generation	Delivers detection rules for SIEM, EDR, and AV integrations
Safe & Isolated Lab Execution	Air-gapped and VM snapshotted for safe malware detonation
Threat Actor Attribution	Cross-referenced with threat intel feeds and MITRE ATT&CK

9. Real-World Case Studies

Targeted Ransomware (Cobalt Strike Variant)

Sample: EXE file dropped via Excel macro
Findings: Custom loader decrypts Cobalt Beacon in memory using RC4
Outcome: Delivered YARA rules and sandboxed behavior logs for SOC SIEM tuning

Android Spyware Sample (APT-Origin)

Client: Telecom company
Discovery: APK using native C libraries for stealth keylogging
Outcome: Decompiled DEX code + Frida-based runtime analysis revealed C2 protocol and exfil path

10. SOP – Standard Operating Procedure

Sample Reception and Metadata Cataloging
SHA-256/MD5/SHA1 Hashing and Initial Triage
Static Analysis for Strings, Sections, PE/ELF Headers
Behavioral Execution in Controlled VM (Windows/Linux/Android)
Registry, File System, and Network Activity Monitoring
Memory Dump and API Trace Extraction
Disassembly and Symbol Analysis (Ghidra/IDA)
Unpacking and Code Deobfuscation
IOC Collection and Threat Mapping
Reporting, Rule Generation (YARA, Suricata), and Detection Advice

11. Malware RE Technical Checklist

1. Initial Triage & Metadata Collection

Generate MD5/SHA1/SHA256 hashes
File type validation (magic bytes, MIME type, extensions)
Check against threat intel (VirusTotal, Hybrid Analysis, MalwareBazaar)
Identify compiler and packer (UPX, Themida, etc.)
Determine execution platform (Windows, Linux, Android, macOS)

2. Static Analysis

Extract printable strings using strings, FLOSS, or binwalk
Inspect PE/ELF/APK headers for anomalies
Parse import/export tables, section entropy, entry point
Identify hardcoded C2 domains, IPs, or file paths
Analyze embedded certificates and timestamps

3. Sandbox & Dynamic Analysis

Execute in isolated VM with Cuckoo/ANY.RUN/CAPE
Capture process tree, network connections, dropped files
Monitor Windows Registry modifications (autoruns, persistence keys)
Hook API calls and observe behavioral triggers
Record mutex creation, service installation, or privilege escalation

4. Disassembly & Debugging

Load binary into IDA Pro/Ghidra for control flow analysis
Identify obfuscation: opaque predicates, dead code, junk insertion
Debug payload with x64dbg or Immunity to catch runtime unpacking
Analyze string decryption, function hooks, or shellcode loaders
Use Frida or dynamic instrumentation (Android/Win) for runtime insight

5. IOC and Signature Extraction

Extract:
- C2 IPs/Domains
- Mutexes
- Registry Keys
- File Hashes
- Filename patterns
Build YARA rules with metadata, string match, and file structure
Generate Suricata/Snort rules for network detections
Map behavior to MITRE ATT&CK tactics (e.g., T1059, T1569.002, T1027)

6. Documentation & Reporting

Include:
- Summary of behavior
- Technical indicators
- Hashes and timelines
- Screenshots of execution
- Decompiled/Deobfuscated code samples
Provide:
- Detection signatures
- Remediation guidance
- Containment strategy (EDR/SIEM tuning)

Malware Reverse Engineering